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We propose a cheat sensitive quantum protocol to perform a private search on a classical database 
which is efficient in terms of communication complexity. It allows a user to retrieve an item from the 
server in possession of the database without revealing which item she retrieved: if the server tries to 
obtain information on the query, the person querying the database can find it out. Furthermore our 
protocol ensures perfect data privacy of the database, i.e. the information that the user can retrieve 
in a single queries is bounded and does not depend on the size of the database. With respect to 
the known (quantum and classical) strategies for private information retrieval, our protocol displays 
an exponential reduction both in communication complexity and in running-time computational 
complexity. 



Privacy is a major concern in many information trans- 
actions. A familiar example is provided by the transac- 
tions between web search engines and their users. On 
one hand, the user (say Alice) would typically prefer not 
to reveal to the server the item she is interested in (user 
privacy). On the other hand, the server (say Bob) would 
like not to disclose more information than that Alice has 
asked for (data privacy). User and data privacy are ap- 
parently in conflict: the most straightforward way to ob- 
tain user privacy is for Alice to have Bob send her the 
entire database, leading to no data privacy whatsoever. 
Conversely, techniques for guaranteeing the server's data 
privacy typically leave the user vulnerable jjj. At the 
information theoretical level, this problem has been for- 
malized by Gertner et al. as the Symmetrically-Private 
Information Retrieval (SPIR) El . This is a generalization 
of the Private Information Retrieval (PIR) problem 0] 
which deals with user privacy alone. (SPIR is closely re- 
lated to oblivious transfer Q , in which Bob sends to Alice 
N bits, out of which Alice can access exactly one-which 
one, Bob doesn't know.) No efficient solutions in terms 
of communication complexity [Q are known for SPIR. 
Indeed, even rephrasing them at a quantum level || Bj, 
the best known solution for the SPIR problem (with a 
single database server) employs 0(N) qubits to be ex- 
changed between the server and the user |?j and ensures 
data privacy only in the case of honest users (here N is 
the number of items contained in the database, while an 
honest user is defined as one who does not want to com- 
promise her chances of getting the information about the 
selected item in order to get more). PIR admits proto- 
cols that are more efficient in terms of communication 
complexity As will be seen below, however, both 

PIR and SPIR necessarily require 0(N) computational 
complexity on the part of the database. 

In this paper we present a new quantum cryptographic 
primitive [H], the quantum private query (QPQ), which 
allows an exponential reduction in the communication 
and computational complexity with respect to the best 
(quantum or classical) SPIR protocol proposed so far. 



QPQ ensures perfect data privacy and it exploits a 
cheat sensitive strategy Q that allows Alice to deter- 
mine whether Bob has been trying to cheat to obtain 
information about her query. In other words, Alice can 
ask Bob's database a question and obtain the answer, 
together with a quantum certificate that Bob retains no 
record of what question she asked. With respect to (clas- 
sical or quantum) SPIR and oblivious transfer protocols 
QPQ presents an exponential reduction in communica- 
tion complexity. This comes from the fact that infor- 
mation theoretic SPIR protocols require the exchange 
of the whole database 0, 0(N) qubits, while QPQ re- 
quires the exchange of only two database elements, iden- 
tified by O(logiV) qubits. Quantum Private Queries also 
provides an exponential reduction in computational com- 
plexity over all classical PIR schemes, whether symmetric 
or not. In both cryptographic and information-theoretic 
PIR protocols, the owner(s) of the database(s) must per- 
form 0(N) 'internal' database calls in response to Alice's 
query. That is, as part of the protocol, Bob must per- 
form operations that access every entry in his database, 
using some cryptographic primitive such as a public key 
supplied by Alice. If the PIR protocol requires Bob to 
perform fewer than N internal database calls, then he 
obtains information about Alice's query simply by mon- 
itoring which database entries were and were not called 
in the course of executing the protocol. That is, a classi- 
cal PIR protocol necessarily has database computational 
complexity 0(N) per query. In contrast, Quantum Pri- 
vate Queries require only two internal database calls per 
use, each using only 0(log N) time steps Q. 

Quantum private queries achieve two competing goals: 
Bob can provide the service of private searching with- 
out having to give up his database, and Alice can test 
his honesty without having to trust him. The basic idea 
underlying the protocol is simple: Bob, as a sign of his 
discretion, returns not only the answer to Alice's query, 
but the original query itself, retaining no copy. Alice, 
in addition to performing normal queries, can perform 
also quantum superpositions of different queries. This 
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FIG. 1: Scheme of the QPQ protocol. Alice wants to find out 
the jth record of Bob's database. She then prepares two n- 
qubit registers, one contains the state \j)q, the other contains 
the quantum superposition {\j)q + |0)q)/v2. (She knows 
that the Oth record of Bob's database contains the fixed value 
Aa = 0) . She then sends, in random order, these two registers 
to Bob, waiting for his first reply before sending the second. 
Bob uses each of the two registers to interrogate his database 
using a qRAM device, which records the reply to her queries 
in a register R. At the end of their exchange, Alice possesses 
the states \j)q\A s ) r and i\j)q\Aj)R + \0}q\0) r )/V2, where 
the Aj is the content of the jth record in the database. By 
measuring the first she obtains the value of Aj, with which 
she can check whether the superposition in the second state 
was preserved. In this case she can be confident Bob obtained 
no information on what j was. 



means that in addition to being able to request the jth 
or the fcth records in the database, she can also request 
both records in a quantum superposition. To find out 
whether Bob is trying to discover her queries, she just 
has to send proper superpositions of queries and check 
Bob's answer to see whether the superposition has been 
preserved, fn this case, she can be confident that Bob 
has retained no information about her query: any cap- 
ture of information by Bob would have induced a distur- 
bance. The user security rests on Bob's impossibility of 
discovering the generic quantum state of Alice's query. 
Two basic elements of quantum theory enforce this: the 
no-cloning theorem (ll[] which forbids the discovery of 
the state starting from a single copy of it [[l2), and the 
inability fully to characterize a composite system using 
only local operations. The database security of QPQ is 
ensured by the finite number of signals Bob is sending 
back to Alice. As we will see these can be as low as two. 
This automatically implies that in the QPQ a dishonest 
Alice will be able to recover at most two items from the 
database to be compared with the 0(logN) bits of in- 
formation a dishonest user will be able to acquire in the 
quantum SP1R protocols || . 

The rest of this paper is devoted to making the pre- 
vious ideas rigorous and to providing the details of the 
protocols. We start by describing the quantum commu- 
nication protocol that Alice and Bob must follow, and 
give a security analysis. We then conclude with a discus- 
sion on how Bob can interrogate his database preserving 
Alice's superposed queries. 



To submit her query on the jth record of Bob's 
database, Alice uses an n qubit memory register Q. It 
allows her to interrogate a database of up to N = 2™ 
elements. To test whether Bob is cheating and is try- 
ing to find out what her query is, she needs to submit 
a superposition of queries. So she prepares two copies 
of the register Q, one is initialized as the other as 

(U')q+|0)q)/v / 2 (we suppose that the Oth record in Bob's 
database contains a fixed reference value known to her). 
She then randomly chooses one of these two registers and 
sends it to Bob. He interrogates his database using it 
as an index register employing the qRAM algorithm de- 
scribed below [see Eq. (Q)]. ft returns a second register R 
which contains the answer to the query, and which may 
be entangled with the register Q if the latter was in the 
superposition state (without loss of generality we can as- 
sume R to be a single qubit). Bob sends back the Q and 
R registers to Alice. She then sends him her second Q 
register, which, again, is employed by Bob to interrogate 
his database and sent back to Alice together with a new 
R register containing the answer to her second query, ft 
is important to stress that Bob never knows if the register 
he receives from Alice is the one containing the quantum 
superposition or the other one: this means he does not 
know which measurement could extract information on 
j without disturbing the register. The number of ex- 
changed qubits is 2{n+ 1) = 2 (log N + 1) (of these only 2 
contain information on the database). We see that, in at- 
tempting to obtain information about Alice's state, Bob 
must try to distinguish between two possible states that 
have overlap l/y/2. That is, Bob's position is isomorphic 
to that of Eve in conventional quantum cryptography, 
and any attempt on his part to gain information must 
necessarily be detected by Alice: the tradeoff between 
the information that Bob can obtain and his probabil- 
ity of being detected by Alice are essentially the same 
as in quantum cryptography (see, e.g., (l3[ ) as we now 
demonstrate. 

After this double exchange with Bob, Alice is in pos- 
session of the two states jV'i) = \j)q\Aj)j{ and 
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where A m is the content of the mth record in the 
database (without loss of generality we can suppose that 
Aq = 0). She can recover the value of Aj by measur- 
ing \ipi). This value answers her query, and can be used 
to construct a measurement to test whether the second 
state is really of the form \%p2) given in Eq. ([!]). We will 
show that if Bob is acquiring information on j, he will be 
perturbing the superposition state \ip2) and Alice has a 
nonzero probability of finding it out. The only assump- 
tion necessary (which may be dropped by complicating 
the protocol slightly) is that the value Aj is uniquely 
determined by j, i.e. that there cannot be two different 
answers to one query. 
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The simple protocol described here can be easily mod- 
ified to increase its performance. First of all, in place of 
the fixed superposition (\j)q + |0)q)/v / 2, we can allow 
Alice to employ any arbitrary superposition a\j) + [3\0) 
with complex amplitudes a and unknown to Bob. In 
this way Bob's ability of masking his actions is greatly 
reduced. More generally, instead of creating a superpo- 
sition with the reference query |0)q, she could superim- 
pose two (or more) different queries. In this case, in 
addition to the query j which she is interested in, she 
randomly chooses another query (say the k-th). Now 
she prepares three n-qubits registers in the state |fc), 
and (|j) + |fc))/\/2. As in the case discussed previously, 
she sends the registers to Bob in random order and one- 
by-one (i.e. she waits for Bob's reply before submitting 
the next). At the end of their exchange, if Bob has not 
cheated, Alice is in possession of three states: i.e. |j)|A,), 
\k)\A k ), and (|j)|Aj) + \k)\A k )) / \/2. She starts by mea- 
suring the first two, in order to find out the values of Aj 
and A k : the former is the answer she was looking for, 
the latter will be used to prepare a measurement to test 
the third state to see whether the superposition has been 
retained. In this case she can conclude that Bob has not 
cheated. Notice that, in contrast to the classical strate- 
gies where she hides her query among randomly chosen 
ones, the security of the QPQ does not rest on the clas- 
sical randomness of the queries. This is evident from the 
simplest version of the protocol, where the single query 
j is answered. However, this classical randomness is a 
useful resource also for QPQ, since Alice can increase 
the probability of catching a cheating Bob by choosing a 
high number of random queries in her superposition. 

The user security of the protocol rests on two key fea- 
tures, namely, the fact that Alice is sending her queries 
in random order, and the fact that she is sending them 
one by one. The first feature prevents Bob from knowing 
which kind of query he is receiving at each time: if he 
knew when the superposed queries are arriving, he would 
just let them through without measuring them and mea- 
sure the other queries, finding out j and evading detec- 
tion. The second feature prevents Bob from employing 
joint measurements on the queries. In fact, if he was al- 
lowed joint measurements, he would find out the value 
of j since the subspaces spanned by the joint states of 
Alice's queries are orthogonal for different choices of j. 

To discuss the user security of the protocol it is worth 
starting from a simple cheating strategy. Suppose for 
instance that Bob performs projective measurements on 
both of Alice's queries. By doing so he will always recover 
the value of j. Moreover with probability 1/2, one of his 
two measurement results will return in correspondence 
to Alice's superposed query. In this case, Bob's attempt 
at cheating is successful, as he can correctly re-prepare 
both of Alice's queries. However, with probability 1/2, 
Bob gets j from both measurements, and it will impos- 
sible for him to determine which was the order of Alice's 



queries. In this case, no strategy of his has more than 
1/2 probability of passing Alice's test. In fact, this is 
the probability that a state of the form \ j)c}\Aj)R passes 
the test of being of the form Q^qIA^r + \0}q\0)r)/V2. 
If Bob uses this cheating strategy, Alice can find it out 
with probability 1 /4 (this number can be easily increased 
using the modified QPQ protocols discussed above). 

What if Bob employs a more sophisticated cheating 
strategy? Bob is presented randomly with one among 
two possible scenarios (A or B) depending on which state 
Alice sends first. These scenarios refer to the following 
joint states of her query \S A ) = \j)QA\i)Q 2 + |»*)q 2 )/v^ 
and \S B ) = {\j)q 1 + \r)Q 1 )\j)Q 2 /v2, where Qi and Q 2 
are her first and second query. The failure of the above 
cheating strategy stems from Bob's impossibility to de- 
termine which scenario Alice is using. This is a common 
problem to all cheating strategies: it is related to the 
non-orthogonality of the states \Sa) and \Sb), and to 
the limit posed by the timing of the protocol (to gain 
access to Q2, Bob must first respond to Q\). Working 
along these lines, one can show that Alice has a nonzero 
probability of discovering that Bob is cheating, whatever 
sophisticated methods he employs. More precisely, fol- 
lowing a derivation which is similar to that performed in 
Ref. it can be shown that his impossibility of per- 
forming joint measurements on Q\ and Q2 places a bound 
on the information Bob obtains on j: Alice can enforce 
the privacy of her queries by requiring that Bob is never 
caught cheating. Here we just sketch the main idea of 
the security proof, providing the details elsewhere. 

Any action by Bob in response to Alice's two queries 
can be described in terms of two unitary transformations 
U\ and 1/2- The transformation U\ acts on the registers 
Qi, R\ and on an ancillary system B which is under Bob's 
control (it also includes his database). The transforma- 
tion U2 acts on Q2, R2 and B. If Bob is not cheating, U\ 
and U2 are instances of the qRAM algorithm of Eq. (Q) 
below: they coherently copy the information from the 
database to the R registers leaving the ancilla B in its 
initial state. If instead Bob is cheating, at the end of the 
communication the system B will be correlated with the 
rest. In this case Alice's final state is the mixture 
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where the label I = A, B refers to the scenario used 
by Alice to submit her query j, and where \^e(j)) = 
l^)Qi<22 10) rb is the corresponding input state (|0)_r_b be- 
ing the initial state of the registers R± 2 and of the ancilla 
B). The probability 1 — Pt(J) that the state pe(j) sup- 
plied by Bob will pass Alice's test can be easily computed 
by considering its overlap with the states corresponding 
to the answer that a non-cheating Bob would provide. 
On Bob's side, the information Ig that he retains on the 
query is stored in the final state of the ancilla B, i.e. 

a t {j)=Tr QlQ , RlR2 ^UMj^i^luM] . (3) 
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An information-disturbance trade-off H] can be ob- 
tained by noticing that if 1 — Pe(j) — 1, then ag (j) must 
be independent from j. Specifically, requiring Pi(J) ^ e 
for all £ and j, one can show that 1 — F(<Je(j),a*) ^ 
0(e 1/4 ), where er» is a fixed state and F the fidelity [rL5| . 
Therefore, in the limit of Pg{j) —> (i.e. Bob passes the 
test with high probability), we see that the states he re- 
tains are independent from the label j. This can also 
transformed into an upper bound on the mutual infor- 
mation Ib evaluating the Holevo information |n| asso- 
ciated to the ensemble {pj, cr(j)} where pj — 1/N is the 
probability that Alice will send the j-th query, and where 
a (j) — WaU) + °\b0')]/2 is the final state of B (from his 
point of view), since Alice randomly chooses among the 
scenarios A and B with probability 1/2. By doing so it 
can be shown Q that I B < 0(e 1 / A log 2 N). 

In closing, we comment on the quantum random ac- 
cess memory (qRAM) algorithm @ [l| that Bob uses 
to interrogate his database while preserving coherence, 
as required by the QPQ protocol. The aim of the qRAM 
protocol is to read, in a memory array, a location speci- 
fied by an index register Q, and return the contents in a 
second register R. The register Q may contain a quan- 
tum superposition of location addresses. The content of 
the n-qubit address-register Q is correlated by a unitary 
transformation U to the spatial position of a single qubit, 
which acts as a data bus. This means that the binary en- 
coding in the quantum register is translated into a unary 
encoding on the location of the bus qubit, which is thus 
into one of 2 n possible locations (or in more than one lo- 
cation in quantum superposition) . Now the qubit locally 
interacts with the memory cell array, and the addressing 
procedure is reversed by running the binary-to-unary en- 
coding U protocol backwards (an "uncomputation" per- 
formed by the unitary U'). This decorrelates the position 
of the bus qubit from the Q register (otherwise quantum 
coherence would be destroyed). Its internal state con- 
tains the value of the memory cell (cells) that was to be 
read. Essentially, the qRAM algorithm implements the 
transformation 

J2 a ^Q ^ a j\j)Q\ A j)R > ( 4 ) 

j j 

where Aj is the content of the jth memory location, and 
otj are arbitrary amplitudes. 

Conventional designs for quantum random access 
memory based on classical architectures require 
0(2 n ) quantum logic operations to perform a qRAM call. 
However, we have recently exhibited qRAM designs in 
which the number of quantum logic operations to per- 
form a call can be reduced to 0(n) Jxpfl . Hence, con- 
structing a qRAM for quantum private queries should be 
significantly easier than constructing a large-scale quan- 



tum computer. 
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